From 02916908c062ad3b6137f05c82c2f2792091e45a Mon Sep 17 00:00:00 2001 From: Benjamin Reis Date: Tue, 5 Nov 2024 09:30:18 +0100 Subject: [PATCH] Call `firewall-port` in IPv6 when management is in IPv6 Signed-off-by: Benjamin Reis --- ocaml/xapi/dbsync_slave.ml | 9 ++++++++- ocaml/xapi/helpers.ml | 17 +++++++++++++++++ ocaml/xapi/nm.ml | 22 +++++++++++++++++++++- ocaml/xapi/xapi_clustering.ml | 22 ++++++++++++++++++---- ocaml/xapi/xapi_host.ml | 22 +++++++++------------- 5 files changed, 73 insertions(+), 19 deletions(-) diff --git a/ocaml/xapi/dbsync_slave.ml b/ocaml/xapi/dbsync_slave.ml index 3b90a3a05c3..1877f067bb6 100644 --- a/ocaml/xapi/dbsync_slave.ml +++ b/ocaml/xapi/dbsync_slave.ml @@ -126,8 +126,15 @@ let refresh_localhost_info ~__context info = ) else Db.Host.remove_from_other_config ~__context ~self:host ~key:Xapi_globs.host_no_local_storage ; + let options = + match Helpers.get_management_iface_primary_address_type ~__context with + | `IPv4 -> + ["check"; "80"] + | `IPv6 -> + ["-6"; "check"; "80"] + in let script_output = - Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"] + Helpers.call_script !Xapi_globs.firewall_port_config_script options in try let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in diff --git a/ocaml/xapi/helpers.ml b/ocaml/xapi/helpers.ml index 30965068f3f..ec77d8867fd 100644 --- a/ocaml/xapi/helpers.ml +++ b/ocaml/xapi/helpers.ml @@ -150,6 +150,18 @@ let get_management_ip_addr ~__context = let dbg = Context.string_of_task __context in Option.map fst (Networking_info.get_management_ip_addr ~dbg) +let get_management_interface ~__context ~host = + let pifs = + Db.PIF.get_refs_where ~__context + ~expr: + (And + ( Eq (Field "host", Literal (Ref.string_of host)) + , Eq (Field "management", Literal "true") + ) + ) + in + match pifs with [] -> raise Not_found | pif :: _ -> pif + let get_localhost_uuid () = Xapi_inventory.lookup Xapi_inventory._installation_uuid @@ -165,6 +177,11 @@ let get_localhost ~__context = | true -> get_localhost_uncached ~__context +let get_management_iface_primary_address_type ~__context = + let host = get_localhost ~__context in + let management_pif = get_management_interface ~__context ~host in + Db.PIF.get_primary_address_type ~__context ~self:management_pif + (* Determine the gateway and DNS PIFs: * If one of the PIFs with IP has other_config:defaultroute=true, then * pick this one as gateway PIF. If there are multiple, pick a random one of these. diff --git a/ocaml/xapi/nm.ml b/ocaml/xapi/nm.ml index 1483106ace5..ac11d033a0b 100644 --- a/ocaml/xapi/nm.ml +++ b/ocaml/xapi/nm.ml @@ -796,10 +796,20 @@ let bring_pif_up ~__context ?(management_interface = false) (pif : API.ref_PIF) | `vxlan -> debug "Opening VxLAN UDP port for tunnel with protocol 'vxlan'" ; + let options = + match + Helpers.get_management_iface_primary_address_type + ~__context + with + | `IPv4 -> + ["open"; "4789"; "udp"] + | `IPv6 -> + ["-6"; "open"; "4789"; "udp"] + in ignore @@ Helpers.call_script !Xapi_globs.firewall_port_config_script - ["open"; "4789"; "udp"] + options | `gre -> () ) @@ -857,6 +867,16 @@ let bring_pif_down ~__context ?(force = false) (pif : API.ref_PIF) = in if no_more_vxlan then ( debug "Last VxLAN tunnel was closed, closing VxLAN UDP port" ; + let options = + match + Helpers.get_management_iface_primary_address_type + ~__context + with + | `IPv4 -> + ["close"; "4789"; "udp"] + | `IPv6 -> + ["-6"; "close"; "4789"; "udp"] + in ignore @@ Helpers.call_script !Xapi_globs.firewall_port_config_script diff --git a/ocaml/xapi/xapi_clustering.ml b/ocaml/xapi/xapi_clustering.ml index d2b61be2f55..a4a8f2fd38a 100644 --- a/ocaml/xapi/xapi_clustering.ml +++ b/ocaml/xapi/xapi_clustering.ml @@ -274,9 +274,18 @@ module Daemon = struct raise Api_errors.(Server_error (not_implemented, ["Cluster.create"])) ) ; ( try + let options = + match + Helpers.get_management_iface_primary_address_type ~__context + with + | `IPv4 -> + ["open"; port] + | `IPv6 -> + ["-6"; "open"; port] + in maybe_call_script ~__context !Xapi_globs.firewall_port_config_script - ["open"; port] ; + options ; maybe_call_script ~__context !Xapi_globs.systemctl ["enable"; service] ; maybe_call_script ~__context !Xapi_globs.systemctl ["start"; service] with _ -> @@ -295,9 +304,14 @@ module Daemon = struct Atomic.set enabled false ; maybe_call_script ~__context !Xapi_globs.systemctl ["disable"; service] ; maybe_call_script ~__context !Xapi_globs.systemctl ["stop"; service] ; - maybe_call_script ~__context - !Xapi_globs.firewall_port_config_script - ["close"; port] ; + let options = + match Helpers.get_management_iface_primary_address_type ~__context with + | `IPv4 -> + ["close"; port] + | `IPv6 -> + ["-6"; "close"; port] + in + maybe_call_script ~__context !Xapi_globs.firewall_port_config_script options ; debug "Cluster daemon: disabled & stopped" let restart ~__context = diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml index 7958a15a367..7270f5c5081 100644 --- a/ocaml/xapi/xapi_host.ml +++ b/ocaml/xapi/xapi_host.ml @@ -1221,16 +1221,7 @@ let syslog_reconfigure ~__context ~host:_ = () let get_management_interface ~__context ~host = - let pifs = - Db.PIF.get_refs_where ~__context - ~expr: - (And - ( Eq (Field "host", Literal (Ref.string_of host)) - , Eq (Field "management", Literal "true") - ) - ) - in - match pifs with [] -> raise Not_found | pif :: _ -> pif + Helpers.get_management_interface ~__context ~host let change_management_interface ~__context interface primary_address_type = debug "Changing management interface" ; @@ -3045,10 +3036,15 @@ let set_https_only ~__context ~self ~value = let state = match value with true -> "close" | false -> "open" in match cc_prep () with | false -> + let options = + match Helpers.get_management_iface_primary_address_type ~__context with + | `IPv4 -> + [state; "80"] + | `IPv6 -> + ["-6"; state; "80"] + in ignore - @@ Helpers.call_script - !Xapi_globs.firewall_port_config_script - [state; "80"] ; + @@ Helpers.call_script !Xapi_globs.firewall_port_config_script options ; Db.Host.set_https_only ~__context ~self ~value | true when value = Db.Host.get_https_only ~__context ~self -> (* the new value is the same as the old value *)